Microsoft Downplays Risks of Zero-Day Exploits

Zero-day software vulnerabilities may be alarming, but a new report from Microsoft sees them as not the biggest risk for organizations and PC users.

According to Microsoft, only 0.12 percent of all software exploits in the first half of this year were associated with "zero-day" malware, which taps into unpublicized security vulnerabilities in software. The company disclosed this information in its biannual Microsoft Security Intelligence Report, released this week. In it, Microsoft reported that over 99 percent of the remaining attacks "distributed malware through familiar techniques, such as social engineering and unpatched vulnerabilities."

"The risk associated with zero-day exploits is real and should be represented in organizations' risk management plans," said Tim Robbins, director of product management in Microsoft’s Trustworthy Computing group, in a blog post. "That said, the data in this study helps put that risk into perspective relative to the top malware threats and exploit attempts observed in use on the Internet."

Microsoft attributed the low number of actual zero-day exploits to the diligence of security vendors providing patches and detection signatures quickly after a vulnerability is discovered. Microsoft provided some examples, pointing to two Adobe zero-day exploits that made up the majority of the 0.12 percent of attacks in the first half of 2011. Adobe released an update to its Flash player less than a week after the first zero-day incident was reported and issued a fix two days after a June 12 exploit incident occurred.

Many software security vendors emphasize zero-day exploits because of the implicit newness of the vulnerability.

"The zero-day vulnerability is especially alarming for consumers and IT professionals, and for good reason -- it combines fear of the unknown and an inability to fix the vulnerability, which leaves users and administrators feeling defenseless," Microsoft wrote in the report. "It's no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise, and can be treated with the utmost level of urgency by the affected vendor and the vendors' customers."

However, Microsoft took a slightly different view in the SIRS report. While diligence is not a bad policy, these zero-day attacks are miniscule compared with the totality of security issues.